Analysis

  • max time kernel
    146s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    16-03-2024 11:36

General

  • Target

    cdf6aebe5de273b6f5d54ee844b3eaa8.exe

  • Size

    408KB

  • MD5

    cdf6aebe5de273b6f5d54ee844b3eaa8

  • SHA1

    00ec31c8deaf1e6329a317dd95e0d6587f9fe137

  • SHA256

    52ce9cc373bec4f16a17d1c84bfda66b22e245c186d03022da08170f83552582

  • SHA512

    4c79d9f0d64f7a27431a301d6e928ec95068277d1543c4400e7dd0f328dfb712d310803dadd6444778289ae748a0b28eb00bf2d0762cf0fa352372b5a574d4c5

  • SSDEEP

    6144:C5+IFll+0ICu/5a0huFFEM6LYXxApXXOCASiwQMKlSef:K+IFlg06/opFEZsXx4H+G/Khf

Malware Config

Extracted

Family

cybergate

Version

v1.07.5

Botnet

Cyber

C2

dreamhacker.no-ip.biz:100

Mutex

4PEY64RFP5RKV6

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    WinDir

  • install_file

    Svchost.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    Remote Administration anywhere in the world.

  • message_box_title

    CyberGate

  • password

    123456

  • regkey_hkcu

    HKCU

  • regkey_hklm

    HKLM

Signatures

  • CyberGate, Rebhip

    CyberGate is a lightweight remote administration tool with a wide array of functionalities.

  • Adds policy Run key to start application 2 TTPs 4 IoCs
  • Modifies Installed Components in the registry 2 TTPs 4 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops file in System32 directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1336
      • C:\Users\Admin\AppData\Local\Temp\cdf6aebe5de273b6f5d54ee844b3eaa8.exe
        "C:\Users\Admin\AppData\Local\Temp\cdf6aebe5de273b6f5d54ee844b3eaa8.exe"
        2⤵
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2232
        • C:\Users\Admin\AppData\Local\Temp\tmpD78.tmp.exe
          "C:\Users\Admin\AppData\Local\Temp\tmpD78.tmp.exe"
          3⤵
          • Adds policy Run key to start application
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Loads dropped DLL
          • Adds Run key to start application
          • Drops file in System32 directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:1756
          • C:\Windows\SysWOW64\explorer.exe
            explorer.exe
            4⤵
            • Modifies Installed Components in the registry
            • Suspicious use of AdjustPrivilegeToken
            PID:560
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe"
            4⤵
              PID:2064
            • C:\Users\Admin\AppData\Local\Temp\tmpD78.tmp.exe
              "C:\Users\Admin\AppData\Local\Temp\tmpD78.tmp.exe"
              4⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Drops file in System32 directory
              • Suspicious behavior: GetForegroundWindowSpam
              • Suspicious use of AdjustPrivilegeToken
              PID:2456
              • C:\Windows\SysWOW64\WinDir\Svchost.exe
                "C:\Windows\system32\WinDir\Svchost.exe"
                5⤵
                • Executes dropped EXE
                PID:1164

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\Admin2.txt

        Filesize

        224KB

        MD5

        288df3dc4f0a2beda544817d04404b7c

        SHA1

        29dd25aa1670c5664acab20b52b18d8a3c908316

        SHA256

        bdb1956a26d8780041f3cd374c6f3547254381295d4b4b98dfc0dff6766b04e3

        SHA512

        edfb32fe521c05cc0a15aa1f90c9f78392422278d0ed5a0d6372ff6f6748617813613eb564204adc46a74c4466d9582d200d3e2bb3208b88d41f6fae598828d2

      • C:\Users\Admin\AppData\Local\Temp\Admin7

        Filesize

        8B

        MD5

        d74eb82d2904d64cc4e0f9ad3db51908

        SHA1

        c36a355a44c38729a77999be69e9b5377b091fb6

        SHA256

        eafbc3ed7625ec5d0989535ab1e848535046066d1749a2fd6f877e54d30ac1b1

        SHA512

        8c0b03dee906911c3817628955b67072d138391546c0add358105277740e69fd5a79381e7d0f94a64b7d5562be7ecf637ac7820492e4432990a88b634fdd2092

      • C:\Users\Admin\AppData\Local\Temp\Admin7

        Filesize

        8B

        MD5

        5df452a65a59ec43e13befeb06b3428e

        SHA1

        cb23d6d09ccdfb3c76c672dd8a9c343d1dc9579d

        SHA256

        d9cd0c3ec3896f7d5171ee51c706bb0daa93567c190ea80ee6cc059df53d7f23

        SHA512

        4f670d754d71a2689757eb963aafe91a4599a5f7ba990ad65ba3f204de22e800d65f54068cba9e2cd6673acb2ce876e3a72f9a59366e82bc22ea61de1d0d95d7

      • C:\Users\Admin\AppData\Local\Temp\Admin7

        Filesize

        8B

        MD5

        6517c6a402bd64c59f7f8078aa9285ec

        SHA1

        a6457a6ddb1dedb176df661f61ea0435b0dd994f

        SHA256

        3350bffab58987bb57b92fa169444fb3400a67bc01d677a138788e552fb3f887

        SHA512

        8c301abfc24d14d2ea909c27e5ae577257bef03f41e39fb7d4798b66288ef4f3281c81d17e438765cf7a26debb3519f17366957c1f1759e5c1824a9d1d013d67

      • C:\Users\Admin\AppData\Local\Temp\Admin7

        Filesize

        8B

        MD5

        3307de3b4557aab26420e6cfec874547

        SHA1

        896b7d57be0469ff99bacb78edf1527581dfd2a9

        SHA256

        dad50264d216f7c36b7e770460d6e918ad0ccd67c2df76888f7eabd6b054708b

        SHA512

        309abc99907154f45146ba73778742f2f7d63bb0dc73560330848d683e67f32dd191c70af897507c9ce23bc15690fc6e47945c2f5a4d39f7d6952279ec386e2f

      • C:\Users\Admin\AppData\Local\Temp\Admin7

        Filesize

        8B

        MD5

        ace64ca058e8e76a4b26cc846901dd51

        SHA1

        ed7c3b6a554050067d787358b802fa279451621c

        SHA256

        b6aa67f69bf8a78c9e9be7803878ff6a751b1ba7ce79a7145876ec58db4845e9

        SHA512

        4f3131f35b0408c586b6273eadcb3c5df98be9828185c48881b83e54152de954bff30e3139dd1ae412e409a321459aefc90d4e9c76b626b799aa105d88d3733b

      • C:\Users\Admin\AppData\Local\Temp\Admin7

        Filesize

        8B

        MD5

        bf449e1f35162e3cea145b56d4a8e4bf

        SHA1

        716c1208e1ec57db9b97a586d1d6993e9df2010f

        SHA256

        2cc04dee389f694f737fd03f4dc4f5f620d00a177dbd508a4b85a1d04fa8961a

        SHA512

        1db44b5390ee0d9a49f6febc39bd4e2402827351e2a19ae2b6428194334c887fafff84dd51a45b32db2632628942f837e5e0e027d4c875abaf63e3b9ccd8bf7e

      • C:\Users\Admin\AppData\Local\Temp\Admin7

        Filesize

        8B

        MD5

        a0029321b93febc10661f6392c1be251

        SHA1

        58448d6b952ad72886d4d72f9001690efb191676

        SHA256

        c3c30533266286e7401c57b440dd7ec213f607c7075135107ad6e1a696bb2a8e

        SHA512

        0481cff48e2c67eb07fc12b21a6956acafc57831298cba5d614d33520fe8dba352dfd6267f01e02761bc731f39ff0f3cfe89eb50b986dd7a49c51720fbad64c2

      • C:\Users\Admin\AppData\Local\Temp\Admin7

        Filesize

        8B

        MD5

        6de7a10ebf2f4fcbc344a025c1760e53

        SHA1

        64ce031d30c3c714374b8170dba6bb63cb32d22f

        SHA256

        9a0d0a3cdeb4a8079f78335c07fd0b0d84a00f5e1147b3fc71ad5ed817af4613

        SHA512

        e7159861f20cbafa4a8666d333d08bd1c45f41ff8f4567a3b0867b724e693a6572749e39bed3a4c5b961cf0c047863426848608907239c1ac644f2553d9c4a19

      • C:\Users\Admin\AppData\Local\Temp\Admin7

        Filesize

        8B

        MD5

        8a28cc76e068c8fe33eb6e1a6c2bfd12

        SHA1

        5c50d12e767590c03852476842f767a4209be421

        SHA256

        658564a0ac67e7723b1b9ea73b9abdb0b618b4f2e85abb155c59897b299af215

        SHA512

        775033d248dbb026d8ac27a13e2a8f563ea0baa28efd0255d1e17b43fb50b0894d1dcddb08a53af97f87be0667799a71307a430b15df0ecc2c5b681e41ac9faf

      • C:\Users\Admin\AppData\Local\Temp\Admin7

        Filesize

        8B

        MD5

        61ae0a5752e11b618991bc8fdd7d4d4d

        SHA1

        2d7adf2fe4ce586f6b784ab574fecd5ddf7591c6

        SHA256

        df1e1a8c41102c701afcc0ce64f3039327c7b521363a361ef2029d8cf76e54b1

        SHA512

        19c3e2f6b660037c3079dbadd50e195a3e0d9ea97118d116b115a77be24a3f1628d9f09e0c232bb7df7c1117238ac415a3e28c3be69905e0420d3be2422930df

      • C:\Users\Admin\AppData\Local\Temp\Admin7

        Filesize

        8B

        MD5

        f688940d0a48f0590cbdbb3b182f34ab

        SHA1

        e8d14523b43656ed3e150db46cf7194a989d84d0

        SHA256

        9220c6a9fa734bd29c32062d3f90c5c1667ab61b23cb806ed7b6f30e658b7f2a

        SHA512

        f3cfd799b84289c67c480b411c43d9e7d89d50e15ee7763f4c123334e6aa36f5b62d2db8e23d9b6b8f08f7fdbcd4bc8d853e9295efe0fc445e893a58b75203ef

      • C:\Users\Admin\AppData\Local\Temp\Admin7

        Filesize

        8B

        MD5

        068c64c174066f97153d64b6f7b4486d

        SHA1

        097032e794f3263d8523b04b037233506988ea00

        SHA256

        336f4ed09abc54ee126b539423ef2513ae9420aa7cf75ac10bb6bd11ddc95b85

        SHA512

        5d992eb65d4d29d7034952595b58fb88c0239895d0c990dbecdbe0a4de7e699b547f4a738130cce9fcd49f15729675318ea3c23a358e8d092cd6f96d05e190e9

      • C:\Users\Admin\AppData\Local\Temp\Admin7

        Filesize

        8B

        MD5

        0ed8e53b4ee0f50553400a525bb44c35

        SHA1

        747aa05f1a32afd74d7b0de147522c50b7c298db

        SHA256

        70b74c7c2bec38bb7d51762766f821df5884ed4165ef3ecbc613974ffa82a300

        SHA512

        97cf04ca102b44fa922d4d7feeb80e6f3d66fa3fa9712d0d29e3ad87158813c622068ed5142da9e881b327bdfae166b86425dcfc8d58ff8922ecdb494983f0a2

      • C:\Users\Admin\AppData\Local\Temp\Admin7

        Filesize

        8B

        MD5

        d8f3563177d270d60241baa23831c38b

        SHA1

        8e4ee0d5e675586fb143e639b3024dc76da88ea9

        SHA256

        4c627c5a600cddd46a773db7000ec001e881cc21c46ac59d978beb257b43fdd8

        SHA512

        ea307479ce06af32d47dbc95e1538bb4646819c4c50257a6fa84fe4eb037528ec0c7046b7578c4a6891c20a9b8a8e730e08327c5940780d679b62c30a3d55aaf

      • C:\Users\Admin\AppData\Local\Temp\Admin7

        Filesize

        8B

        MD5

        1f0af7ce9dc9c58728f7edc71c58c5d9

        SHA1

        3ec4c448e5328c468adef3568e7196b3a6d04b42

        SHA256

        949ce0435efb7afccad9212cf0f6f5e5711980a1c1f812b3e822a8eede725f79

        SHA512

        7eac2e6e13eab2a07fa65be3659af2243ac954fb5b64fb3e04629cc4e993f7f5143f29f47007520ad854293f72bf98d11306b7d0bbd327d22f23a5ad3ea51282

      • C:\Users\Admin\AppData\Local\Temp\Admin7

        Filesize

        8B

        MD5

        3a9677dc6164c19892cb8a5085957a0e

        SHA1

        2c5cb806fb47d4705dee1df4dc1428e58f697686

        SHA256

        cefb049202c9db8cc62cc02bb20039d0d79afbf05df756712d5279286d8630cc

        SHA512

        7711fffade1a72ae3e9c32ac99e31c3b6b88b145eceb905f3a1cfaf9fd344dcd821cf52cdb126451316f311f64ec7bf2d8dbe7f2e5119970f164714c007dfbaf

      • C:\Users\Admin\AppData\Local\Temp\Admin7

        Filesize

        8B

        MD5

        ce0e0e8d6ddbdfe4167f49bd76f00bcc

        SHA1

        19b9746b0539e0f8e2f8f3d347548dc58ed3eb82

        SHA256

        c477bb46236e1798d5d01a20c6d8da438c43688d5b1727cfeb661beeb254f72c

        SHA512

        9fa5373f66b5f418ec2d245dd0e678b51de7e63fe14db48354ad42ecbed5cb99f59356a8705145b584fa6ef2760f0dce0cdb526567b8fbbd1b7223f872d370b0

      • C:\Users\Admin\AppData\Local\Temp\Admin7

        Filesize

        8B

        MD5

        e6acd364066ff0de85a1e51d92ff688e

        SHA1

        4ceb0ea474f5e5f963e8c3469a4d1420a9160a5c

        SHA256

        5d6b4087b13e19fce33e079c63c8f4ce447c12509fec120c8109d7f8fe655e1b

        SHA512

        f82f6f661f55b822bf7791b5c29e62459e7611ca0e0abe927ed48b26ba775b7a9a49b8ce50c9a389e5fbe017c248dd2f84e1f4172d403b7a9572448bb5066746

      • C:\Users\Admin\AppData\Local\Temp\tmpD78.tmp.exe

        Filesize

        296KB

        MD5

        0548c6a94dec06ff79fa14834deca881

        SHA1

        6035d95be9214b8fb5775b141a9b1156de851d9d

        SHA256

        433a6cc8a87a44d9ad6e789b6f9f496c2f699e2f0793314db04288ee739bd805

        SHA512

        33cbbb976cd035aa1ff409018c239738f78704bd6cb3fa896d39c859aa77917e200c8e772589c30031c2750f7b1e22220191cb4a9aadf91ddb4a3c854c1e8f88

      • C:\Users\Admin\AppData\Roaming\Adminlog.dat

        Filesize

        15B

        MD5

        bf3dba41023802cf6d3f8c5fd683a0c7

        SHA1

        466530987a347b68ef28faad238d7b50db8656a5

        SHA256

        4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d

        SHA512

        fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

      • memory/560-262-0x0000000000140000-0x0000000000141000-memory.dmp

        Filesize

        4KB

      • memory/560-260-0x00000000000E0000-0x00000000000E1000-memory.dmp

        Filesize

        4KB

      • memory/560-544-0x0000000010480000-0x00000000104E5000-memory.dmp

        Filesize

        404KB

      • memory/560-977-0x0000000010480000-0x00000000104E5000-memory.dmp

        Filesize

        404KB

      • memory/1336-15-0x0000000002E20000-0x0000000002E21000-memory.dmp

        Filesize

        4KB

      • memory/2232-9-0x000007FEF52A0000-0x000007FEF5C3D000-memory.dmp

        Filesize

        9.6MB

      • memory/2232-3-0x0000000001F90000-0x0000000002010000-memory.dmp

        Filesize

        512KB

      • memory/2232-2-0x000007FEF52A0000-0x000007FEF5C3D000-memory.dmp

        Filesize

        9.6MB

      • memory/2232-10-0x000007FEF52A0000-0x000007FEF5C3D000-memory.dmp

        Filesize

        9.6MB

      • memory/2456-1776-0x0000000010560000-0x00000000105C5000-memory.dmp

        Filesize

        404KB

      • memory/2456-843-0x0000000010560000-0x00000000105C5000-memory.dmp

        Filesize

        404KB